The Internet & Wassenaar: This Changes Everything


Legislation is tricky stuff. Hard to understand, hard to follow. Hard to undo.  Which is why we need to be aware of things that have the potential to impact us be so we can get ahead of them incase there is a problem.  The reality is, time won’t be on our side.

As is the case with the Wassenaar Arrangement, and the proposal to enforce it by the US Business of Industry and Security (BIS).   Wassenaar is a voluntary agreement between 41 countries, with the purpose of regulating the knowledge of how to create “intrusion software,” which is defined as “software that is capable of extracting or modifying data or modifying the standard execution path of software in order to allow the execution of externally provided instructions.”   Their mandate is for controls to be put in place over intrusive software that could become digital weapons, used by regimes to subjugate their citizens, or  spy on their personal lives. While this sounds like a good premise, it’s actually far-reaching and has the potential to create a lot of collateral damage. And the direct recipients of that damage are the very people we need to keep us and our information safe online: those who work with security testing, research and software.

wassenaar-arrangementThe objectives of Wassenaar and the BIS have only been furthered by the recent publicity over the attack of Hacking Team, a cyber espionage outfit that counted governments as clients and whose dealings were kept secret for the benefit of both sides. As per the recent article by Katie Moussouris in Wired,

“Security experts warn that overzealous laws will stifle this vital security research that aids defense. Many also fear these regulations will put legitimate tech companies out of business due to excessive license application burdens and delays in the ability to sell security products and compete globally.”

Here’s the truth of it. By enforcing the broad mandate of Wassenaar as per BIS, we shut down the very organizations and people who can best act as our first line of defence. There is no question that malware and cybercrime are evolving rapidly, and that we do not have full control over our security.  Those who seek to profit from using and abusing technology will continue to do so, and find ways around any legislation, or risk existing penalties in favour of what they stand to gain, be that money, power or both. Wassenaar will not rewrite human nature any more than it will prevent the inevitable from happening.


We need to have people finding the bugs in our software that could be exploited and making that knowledge available through vulnerability research and disclosure. But the legislation would control information necessary for research, testing & development. Security researchers and companies must be able to watch over existing traffic and monitor it for threats without fear of reprisal.  To fully appreciate just how BIS and Wassenaar will impede security providers I encourage you to read the full article by Katie Moussouris in Wired here.

“One thing is constant: Those who wish to create tools and use or distribute them to cause harm will continue to do so with the impunity that was revealed in the internal communications of the hacked Hacking Team. No regulation will stop them. It is our job to collectively ensure that no regulation stops defenders.”

BIS has invited public feedback about what they propose but the deadline is today, July 20.  If you can, speak up today. Here are some helpful guidelines:

  1. Give examples of what technology is caught by these rules and what the impact will be.

  2. Explain in detail the burden to organizations and individuals who will have to apply for export licenses under the new rule.

  3. Show how the new rule won’t achieve the stated goal of protecting human rights, but instead will hinder defense of the Internet.

Comments on this rule may be submitted to the Federal rulemakingportal ( The ID for this rule is: BIS-2015-0011. Comments may also be submitted via email to or on paper to Regulatory Policy Division, Bureau of Industry and Security, Room 2099B, U.S. Department of Commerce, 14th St. and Pennsylvania Ave. NW., Washington, DC 20230. Please refer to RIN 0694-AG49 in all comments and in the subject line of email comments.

We all have a stake in how Wassenaar plays out. And today, we all have an opportunity to influence that outcome.




UPDATES: Microsoft Patch Tuesday: Critical Updates for RDP and Explorer

There are urgent fixes required for Internet Explorer, as one more zero day is added to the growing pile of fallout from the Hacking Team hack. This flaw is being actively exploited by hackers, so IE users need to get the patch on ASAP. And there are equally urgent fixes to apply for RDP Remote Desktop Protocol, Office and Windows because of active exploits in play. Other fixes address issues of remote code exploitation and elevation of privilege.

THE BIG STORY: Get the Flash Outta Here!
flashOr better yet – how many zero days can you release in a week? Seriously, the time has come and the time is now to get rid of Adobe Flash Player. After Hacking Team got hacked a week ago Sunday, some of the spillage included several zero day vulnerabilities they had been sitting on. And while Flash seems to be a manufacturing plant of flaws that was no excuse. Hackers have been lying in wait for the good stuff to emerge. When it did, they were ready and jumped all over it. Exploits are booming. If we thought we had problems with folks clicking on stuff they shouldn’t before this, it’s going to be malware-palooza if Flash remains enabled. Mozilla was first to take direct response, and Firefox has blacklisted Flash Player. Who’s next?

Java Zero Day

Adding to all the fun is a zero day for Java, due to an unpatched flaw by Oracle. Note that this is the first Java exploit to be reported in almost 2 years. And users cannot downgrade to earlier versions which aren’t susceptible because of the way Oracle does things. A cybercrime group, out of Russia? Pawn Storm, has been using this nifty little flaw in their attacks on various nation-states and governments & armed forces. Yes, like in “War Games”. The recommendation by security experts is to disable java in browsers for now until it’s patched, especially given the triple-header of Flash zero days on hand.

Oh Windows XP Users … ripwinxp

With all this talk of zero days, folks still using Win XP have not been getting any security patches since April 2014. Just imagine. Today, support for Microsoft’s Malicious Software Removal Tool and updates officially ends. There will be no more. But there are still approximately 180 million users out there, which amounts to 12% of all Windows users. Be warned: an anti-virus product isn’t going to fix Windows vulnerabilities and flaws. If the saying holds true that you get what you pay for, then expect that you will pay for not upgrading to a patchable, safer version of Windows.
And let’s not forget Windows Server 2003. End of Life is also today.

The OpenSSL Patch or Much Ado about Nothing

Given all the advance hype leading to this mysterious flaw and its urgent patch, I am happy to report that this issue is not another HeartBleed or worse. Infact, only newer versions of OpenSSL are affected.
Apparently, any application that verifies certificates, including SSL and TLS, could be compromised by this problem: OpenSSL tried to find an alternative certificate chain if its first try to build a chain fails. If an error occurs during the implementation of this logic, an attacker would be able to cause certain checks to be bypassed on untrusted certificates. They would then be able to forge a trusted certificate and then set up Man in the Middle attacks. BUT this won’t have a widespread impact as most web browsers currently do not use OpenSSL and not affected. OpenSSL 1.0.2b/1.0.2c users are urged to upgrade to 1.0.2d, whereas those with OpenSSL 1.0.1n/1.0.1o should upgrade to 1.0.1p.

A New Threat in Corporate Espionage takes Wing

A corporate espionage group dubbed “Butterfly” has been raiding a varied selection of civilian firms for valuable intellectual property. Companies run the gamut from tech, legal, pharmaceuticals, commodities. Most are listed in the Fortune 200 and are publicly traded. Those attacked include multi-billion firms like Microsoft and Facebook.
What sets this group apart from other cybercrime gangs is that they are very well resourced, utilize customized malware tools and zero days, and are not going after credit card or customer data. They were first identified in 2013, then seemingly went undercover, but were actually operating without detection, hitting 49 companies in 20 countries. They track their prey to favoured online “watering holes” – sites visited frequently by people within the target company. Vigilance, anti-virus and intrusion detection systems are as this group is disciplined, and increasing their attacks.


TeslaCrypt is the newest variant of ransomware, having made its dubious debut in Feb 2015. It likes to target computer game files, like saves and profiles. And has become a chameleon, taking on new identities eg TeslaCrypt, AlphaCrypt and now pretending to be CryptoWall, with a variety of file extensions to match: .ecc, .ezz, exx.teslacrypt
The latest version differs in its enhanced encryption. Bad news for victims because at this time it is impossible to decrypt files hit by TeslaCrypt. And it now uses an HTML page and not a GUI. The methodology: a victim visits an infected website; malicious code uses vulnerabilities in the browser – plugins like Adobe Flash – to install target malware in the system. The best safeguard is backing up data daily, and stored away from systems that could become infected.

Thanks for reading! 

My First “Con”: Alice in Security Wonderland


This month I did something that is a rite of passage for anyone in InfoSec:  I attended my first “Con”, Circle City in Indianapolis, a Security Convention that is about the community and largely attended by … hackers.

Let’s clear up a big misconception. The hackers I know are definitely not this stereotype found ad nauseum.  Yes, there are hackers who choose to attack our systems, steal data, and threaten our security.  But there’s a whole other group out there who are also hackers, and in the constructive definition of the term.  They “hack” to understand and improve the code and technology we use everyday;  they test networks and programs, finding weaknesses and vulnerable points we need to defend from the attackers. Highly skilled and naturally curious, they understand our systems better than we understand ourselves.  They know what can go wrong because they know how it can be broken, and that prevention is the best fix.

Cons offer a major venue to present new research and discoveries, and to discuss theories about a fascinating range of topics that impact Information Security.  There are a variety, in different flavours, with varying appeal. And they happen throughout the year. Every year in  August, Las Vegas hosts DEF CON, a massive hacker event, alongside the more corporate Blackhat, and BSidesLV, from the popular local BSides series encouraging novice through expert.   We have some in Canada, but the cost of admission and travel are big factors for attendance.  When I asked what first Con should be, Circle City was the resounding choice.  Smaller, new (this was its second year and very successful), it would be well-attended by people I knew, and feature a diverse mix of classes and talks.

To say this was an incredible learning opportunity would be an understatement. There was a constant exchange of information happening on and offline.  I felt like I was back in university- in a very good way- as we worked together in small groups to resolve a given problem and then present to the class.  And there I was, sitting and working with some of the smartest, most interesting people I have ever met, who made me feel welcome and invited my contributions.  It was truly a privilege.

The best connections however, aren’t plugged into the network, but those made within the network of attendees.  This is a community.  There is an open camaraderie as folks who spend most of the year connecting online enjoy this opportunity to connect face to face. Attendees wear t-shirts from the past cons they’ve attended.  Badges on lanyards denote speakers, participants, staff, and trainers.  Tattoos are a walking montage of art and personal expression. Some describe themselves as introverts, but at these Cons they are among friends, accepted and welcomed.  And then there are the parties, when hackers come out to play and the fun lasts all night long.  A series of artful DJs delivered a wicked sound and light show as a wish-list of arcade games beckoned and we talked until we lost our voices. Yes, Alice, welcome to InfoSec!

Closing ceremonies may be worth missing at some conventions, but I’m glad I stayed to take it all in.  It was all good fun watching prizes bestowed on heartily enthusiastic winners.  Raffle tickets were sold in handfuls to keen attendees, for a range of prizes including an extraordinary quilt made by one of the members, the intricate pattern actually an encrypted message. Recognition and thanks were sincerely given to those who had given so much.  And then there was moment that brought many of us to tears, as a fellow hacker fighting cancer was welcomed on stage, and the story about bringing him to the Con was told.  This really is a community.

I’m so glad I fell down this rabbit hole to InfoSec. I started following paths on Twitter, which is an incredible repository of access points for up to the minute security developments, detailed research, knowledgeable blog posts, and of course, people with whom to connect. Now my kids regulate my screen time and tweets. Had you told me a couple years ago that I’d sit in on a talk about digital forensics and devour every word of it, I would have called you crazy.  Instead, you can call me Alice, because InfoSec has become my Wonderland of learning and discovery. Welcome to my excellent InfoSec adventure.  I can’t wait for what comes next – in Vegas!


Welcome! To say it’s been an eventful month would be an understatement.  There were some very significant development during May that underline some of the core insecurities that InfoSec has brought to light, like the inherent flaw in encryption on the internet. Yes, Virginai, the Internet is broken. Why? Read on!

Logjam is the latest in encryption attacks, following hard on the heels of HeartBleed, POODLE and FREAK. And it is a big deal, given that security we expected to be protecting our data is not what we’ve been led to trust. Web browsers and email servers can be tricked into using weaker encryption, so that attackers can easily access sensitive data. This means that HTTPS protected sites are vulnerable, as are mail servers and a host of internet services.
Encryption is a necessary thing, though some may have you believe it is a necessary evil, because it gives us the ability to shield sensitive information from prying eyes as we send it from point A to Point B. Mathematical algorithms create this digital reworking of characters, and are supposed to be complex enough that the encryption formula cannot be easily decoded, except by the recipient who has the correct digital key.
However, unbeknownst to most of us, about 20 years ago the US Government downgraded the strength of these encryption formulas significantly, in the pursuit of selling software overseas and making it more accessible. These weak standards remained in place, undermining anything stronger that was built over them in the years that passed. Think of it like a house foundations with cracks covered over by plaster and drywall. Structural integrity was always at risk.
What happens is a MitM (man in the middle) attack can downgrade the encryption level between users and web or email servers from a robut 2048 or 1024 bits to 512 bit keys which offers little protection against attackers or decryption. While FREAK is due to implementation flaws, Logjam is inherent in the design of the TLS (transport layer security) protocol.
Technically, what has been impacted is the Diffie-Hellman key exchange cryptographic algorithm. You can read all about that here: (and yes, I actually did for this piece!). This is what generates the encryption algorithm and affects any server that supports DHE-EXPORT ciphers and all modern browsers.

Why Logjam is a major vulnerability:

  • The flaw allows an attacker to trick a web browser into believing that it is using a regular key, not the export key version.
  • Many PCs reuse the same large numbers to generate the keys, which makes them easier for attackers to crack.
  • The flaw has been present for more than 20 years affecting HTTPS, SSH, IPsec, SMTPS, and other protocols that rely on TLS.

You can check if your browser is vulnerable by clicking here. Recommendations include having the server admin disable support for export-grade cipher suites that allow connections to be downgraded, and to generate a new and unique 2048 bit Diffie-Hellman group. End users will need to install browser and email upgrades as they become available.

Rombertik Malware

It’s elusive, evasive, and the next evolution of malware. Newly identified by Cisco researchers, “Rombertik” doesn’t just self-destruct when it finds tools that can detect it. Instead, if tries to destroy the Master Boot Record (MBR) of the machine it’s on, which is destructive because when the machine restarts, it will be inoperable. The MBR is critical to system operation, and is the first sector of a hard drive, where all the initial instructions are at boot up, letting the computer know to load the operating system.

rombertik pic

This is an example of complex malware, hard to detect, and to protect against. Its purpose is to gain access to the target’s browser, read credentials and pilfer other sensitive information which it then collects to send off to a remote server. Rombertik spreads via spam and phishing emails. Here’s how it works:

Once loaded into the system, Rombertik first runs a series of anti-analysis checks to determine if it is running within a sandbox. In case it isn’t running within the sandbox, Rombertik decrypts and installs itself on the victim’s machine, which then allows the malware to launch a second copy of itself and overwrite the second copy with the malware’s core spying functionality. After completing this process and before begins spying on users, Rombertik runs a final check to make sure it is not being analyzed in memory. In case it finds any indication of being analyzed, the spyware attempts to destroy the master boot record (MBR) of the vulnerable computer. Rombertik then restarts the machine, and because now the MBR is missing from the hard drive, the victim’s computer will go into an endless restart loop.

The best defence in this situation is a layered defence, because Rombertik won’t be able to evade all the layers.

Macro Malware’s Re-Emergence. Be Aware. Be Very Aware

Remember that saying “Everything old is new again”? That’s a trend in InfoSec. It’s not at all uncommon for threats to re-emerge after seeming cease, because attackers have taken the time to revisit and retool. Think of it as a more damaging version of reduce, reuse, recycle. What happens is that the malware gets onto computers via spam email attachments. When the user opens the document, they are prompted by a bar along the top asking if they wish to enable macros to read the item. Most people click willingly, enabling the macro and the malware. The malware then becomes a portal for even nastier stuff waiting in the wings, like the banking Trojan, Dridex, which hunt down and collect valuable personal and financial information. Once again, the onus is on the end user to be aware of what they open and click, but that isn’t always an easy judgement call as these emails look very convincing. Currently, most attacks are happening within the US and the UK.

WordPress XSS Vulnerability on Default Site

The twenty fifteen site can be hijacked. The vuln exists in the default installation of Twenty Fifteen Resides in the genericons pkg and is DOM-based or (document object model) which handles how text, images, headers and links are represented in a browser. Target clicks a malicious link while logged into the site, enabling attacker to gain control. Many hosts have patched the security hole as of today.

But wait – there’s more! The vulnerability exists in eShop, a shopping cart plugin for the content management system with 10,000 active installs and over 600,000 downloads. BUT eShop has not been updated in almost two years.
The risk is insufficient validation. “The cookie’s user-supplied input could be exploited by an attacker to overwrite arbitrary PHP variables, which could lead to full path disclosure and cross-site scripting.”
Genericons is an icon package that figures into the Jetpack plugin and the TwentyFifteen WordPress theme. It is at risk from a DOM-based Cross-Site Scripting (XSS) vulnerability. Jetpack has over a million installs to date. TwentyFifteen is a popular theme and loaded by default in most WordPress installs.

“What’s more concerning here is the reach the plugin and theme have combined; they are installed in many cases, by default in all WordPress installations,”

This was according to David Dede, the malware researcher at Sucuri, who discovered the issue and disclosed it. Nearly a dozen WordPress hosts – GoDaddy, WPEngine, and Pagely to name a few – preemptively patched the issue in the week’s leading up to Sucuri’s disclosure. Your best bet now is to keep all WordPress up to date.

New Ransomware: AlphaCrypt

It looks like TeslaCrypt. It behaves like CryptoWall. Like Dr.Frankenstein played with the code. But this new version comes with new features – it deletes the VSS so your shadow volume is gone. You don’t have that backup protection in place. And it operates in a very covert manner so that you won’t find out until it’s much too late. No messages are shown to the victim as the processes execute. Being delivered via an Angler exploit kit near you.

How Dyre Malware Continues to Evolve

While this is considered a common banking Trojan, what matters here is how this is malware is evolving to evade analysis done by sandboxing. That means that conventional methods and signatures are no longer effective or reliable. Evasion techniques have become better and more prolific over a short span – less than a year – for malware. Upatre malware often works in concert with Dyre and this too has enhanced its evasion techniques.

Torrent and the Fiesta Exploit Kit

This impacts a popular torrent site for music and movies. Despite aggressive ads and popups, people still flock to it. When a target browses the site, a malicious redirection silently loads the Fiesta exploit kit and associated malware payload. Users with anti-malware/VP are shielded. The site itself is compromised via a well-concealed iframe.

More Lenovo Woes

Again lax security practices. This time it’s a way that attackers could bypasss signature validation checks and replaced trusted apps with malicious ones. These could then be run as a privileged user. System update downloads executables from the internet and runs them. Remote attackers can use a MiTM attack, via Starbuck WiFi, and exploit this. Lenovo claims they have patched, but after the Superfish crapware from February, how much do we trust them?

So Long Patch Tuesday

Yes. It’s official. Microsoft will be doing security updates and releases differently with the release of Windows 10. Which, incidentally, needs it’s own name.


We’ve had some big security issues over the past year. But Venom isn’t going to be one of them, despite the name. Sometimes, it’s easy to get carried away by the hype and hyperbole. If we’re doing our job right, though, rather than scaring you we’re preparing you.
This latest vulnerability, classified as CVE-2015-3456, is a problem in the floppy drive emulation code found on many virtualization platforms. What that means is if an attacker were able to, by considerable effort, escape the Guest OS, they could use the host to launch other network attacks. Essentially, an administrator account would have to be compromised for this to happen. Only certain platforms are impacted and they have patches currently available. Major VMs that are not impacted include:

  • VMware
  • Microsoft Hyper-V
  • Bochs
  • AWS
  • Linode

WordPress Sites Backdoored

Another week, another WordPress security issue. According to Zscaler, this time multiple WordPress sites are leaking credentials. Compromised sites are implanted with a “Backdoor” code that serves up injected JAVA script when the user enters their credentials on the login page. The end user remains oblivious as they are redirected to a successful logged in session of a WordPress site. Meanwhile, those valuable credentials are encoded and sent to off to the attacker’s command and control server. The recommendation from the ZScaler security research report is what we’ve been saying consistently:

“It is extremely important for the site administrators to keep their WordPress sites patched with the latest security updates,”

PHP Hash Comparison Flaw May Put Many Sites at Risk

About a year ago, a flaw in PHP password hashes was identified involving the equals-equals operator (==). Robert Hansen, vice president of WhiteHat Security, describes the issue as “one that affects any website that uses two specific types of operators for comparing hashes in PHP.” The issue mostly affects authentication, but this could extend to binary checking, cookies, and passwords, among other things.

“The problem is how PHP handles hashed strings when either the double equal (==) or “!=” operators are used to compare them. When either of these two operators is used for comparing hashes, PHP interprets any hashed value beginning with ‘0e’ as having the value 0. So if two different passwords are hashed and both their hashed values begin with ‘0e’ followed by numerals, PHP will interpret both as having the value 0. Even though the hash values for both passwords are completely different, PHP would treat them both as the number zero if both begin with 0e and when either ‘==’ or ‘!=’ are used.”

This gives attackers a way to try and compromise user accounts by entering a string that when hashed gets equated to zero by PHP. If a password in the database is represented the same way, the attacker will get access to the account, Hansen said. Until now, there haven’t been examples of these hash types.

GPU Keylogger and Linux Rootkit attacks

Malware just keeps evolving. This time it’s targeting the GPU over the CPU with 2 new items: Jellyfish Rootkit for Linux and Demon Keylogger. The GPU, graphics processor unit, has its own processor and memory. That allows the malware to operate incognito, attracting no attention since malicious code isn’t modifying processes in the main operating system kernel. The danger becomes that these types of rootkits can snoop on the CPU host memory via the direct memory access (DMA). This allows hardware components to read the main system memory without going thru the CPU so actions are harder to catch.
Some attacker advantages with GPU are:

  • No GPU malware analysis tools are available on the Internet
  • Can snoop on CPU host memory via DMA (direct memory access)
  • GPU can be used for fast/swift mathematical calculations like parsing or XORing
  • Stubs
  • Malicious memory is still inside GPU after device shutdown

For reference purposes, a GPU-based keystroke logger consists of two main components:

  • A CPU-based component that is executed once, during the bootstrap phase, with the task of locating the address of the keyboard buffer in main memory
  • A GPU-based component that monitors, via DMA, the keyboard buffer, and records all keystroke events

Breaking Bad Themed Crypto Ransomware

This latest ransomware, Trojan.Cryptolocker.S, is currently going after computers running Windows based systems in Australia. The attackers leverage social engineering methods to get victims to open a malicious zip archive file, apparently with a major courier firm in the file name. Attackers then can run their own PowerShell script on the computer to run the ransomware. Encryption uses a random AES key, which is then encrypted with an RSA public key. Targetted files for encryption include media files, music, images, .lnk and .rar extensions.


Symantec has a blog post about how to stay protected if you get ransomware here.

You know that Flashlight App you have?

Time to shed a little light on a dark matter. The top 10 Android flashlight apps are actually malware designed to steal your data off your mobile device.

SOHO Router Woes Persist

There seems to be an ongoing inherent risk with these devices. This time the vulnerability is in the NetUSB software. This component – found on nearly all common commercial routers like Netgear, TP Link, TrendNet etc – enables users to directly connect their printers, flash drives and other USB enabled items. But because these devices don’t have sufficient input validation an attacker can overflow the “computer name” kernel stack buffer. That causes memory corruption, which can then be exploited for arbitrary remote code execution. By specifying a name longer than 64 characters, the stack buffer overflows when the computer name is received. Though modem companies have been advised, to date only TPLink has issued fixes.

Scam Artists and What Not to Fall For

By now, we’ve all heard about the “Windows is Calling” setup. But, people are still falling victim to these bogus scareware schemes. Users cannot help but respond to the alarming popup boxes on screen that say their computer is infected. Now these attacks have become more sophisticated. Even brand new PCs have warnings about “Windows Event Logs”. Most users have no idea what that means, but it sound serious, doesn’t it? In other scams the browser becomes locked, making the supposed situation appear even more dire to the user. And now MAC warnings have entered the fray. Since many of these occurrences are browser-based, a good precaution is to have a backup browser set up to use in case your main one gets locked up by these scammers. And be alert for the latest scheme, which includes a bogus internet service provider or ISP advising users they have become part of a “BotNet”, but that by paying a fee to the “ISP”, the user can be released. Yes, BotNets are real, but not in this case. We know better and now – so do you! Stay safe.
Silly Putty or Trojan PuTTY

A malicious version of this popular tool is currently in circulation. Users who download it need to be mindful of where they download from, and to check the About Info stats to confirm it’s friendly.

End Users, Attitudes and Security Issues

Technology offers amazing productivity and solutions when used right, but it doesn’t govern itself. Even the best intrusion detection and prevention systems cannot adequately account for the “human factor”. Recent research shows that:

  • 82% of US employees know that opening emails from unverified sources is risky and 17% still do it
  • 72% know using a new app without IT sign-off is wrong but 28% still do it
  • 22% download apps from outside Apple APP store or Google Play, and we know stuff in there isn’t all kosher

According to Hugh Thompson, CTO and senior vice president, Blue Coat Security,

“This is not a problem we can educate our way out of … We need to change training awareness around actions and how awareness is linked to action … Security solutions need to facilitate employees’ work seamlessly.”

Bottom line: All the king’s horses and all the kings men can’t fix what goes wrong when Humpty decides to do as he pleases.

Vulnerability in Safari Allows Attackers to Spoof websites

Safari can be forced into loading one page while still displaying the URL of another page. The bug works on fully patched version of iOS and OSX. Users who are not aware of this risk could be redirected to a malicious site where they then get infected with malware or their credentials are stolen.

Moose on the Loose

ESET researchers have identified a new worm infecting routers. It can be used toward social networking fraud, hijacking victim’s internet connection to “like” items, “view” videos, “follow” account. While this may not look dire, the manipulation of social media is a growing trend. This can lead to DDos attacks, DNS \hijacking, etc. Linux/Moose infects Linux based routers and other Linux based devices. It takes advantage of weak configurations and poorly chosen login credentials (What can I say?) So there is collateral damage to other devices connected to these routers. Including things like … drug pumps. All the common commercial names like TP Link, ZyXEL, Netgear etc are factored in. EXET has a detailed technical report including methods users can apply to determine if they are compromised and cleaning instructions.

Android Factory reset doesn’t wipe data completely.

That means user data including SMS, photos, and videos, could be recovered. Even encryption keys and master tokens for Google and Facebook were recovered in 80% of the cases. 500 million devices “may not properly sanitize their data partition where credentials and other sensitive data are stored and up to 630 million may not properly sanitize the internal SD card where multimedia files are generally saved.”

Fake FBI Ransomware

This one comes via Android and poses as an Adobe Flash Player update – oh how we love Adobe! Once active it announces itself via an FBI warning screen. It even includes screenshots of “questionable” browsing history and orders victim to pay up. This variant is the Android Trojan SLocker-DZ, one of the most prevalent android ransomware families with regular new variants. It does not encrypt the contents of compromised smartphones but renders the devices home screen button and back functionalities useless. Shutting down the device doesn’t work because the malware runs when the OS boots.

Evolution of New POS Malware

It’s hard to swipe a card these days and not winge. This week brings us “Nitlove”, a macro-based malware designed to steal card data from Windows PoS systems via spam emails. When the clerks check their emails on the terminals – and of course they do – they will encounter an unsolicited email from a spoofed Yahoo mail account referencing job opportunities with a CV attachment. That is where they’ve embedded the malicious macro.
According to FireEye, the malware copies itself to the disk using NTFS alternate data streams (ADS) so the files won’t be visible right away. Then it monitors and respawns if there are attempts to delete it. It will then scrape track one and track two card data, save and send it off to the C&C server in Mother Russia. Via SSL. Apparently, those security issues aren’t a concern for them.
CHIP and PIN technology used in Canada and Europe really safeguards users against this risk, but the USA is still struggling to make it happen there.

Friday Fun: InfoSec Geek Speak

geekkspeakFind yourself mystified by all the acronyms and terms you hear when anything tech comes up? You don’t want to speak it – you just wish you knew what the heck it meant. No problem. In today’s Friday Fun installment, I’ll get you up to speed. Thanks to the fine folks at Raytheon, (sponsors of this excellent endeavour, the National Collegiate Cyber Defense Competition NCCDC) I can share this glossary of terms.  And consider yourself just that much more up to speed on your own safety and security!

InfoSec Geek Speak Glossary

@ — Symbol chosen by Ray Tomlinson, a Raytheon BBN Technologies engineer who sent the first Internet email, to separate the names of users and their networks in addresses.

Advanced Persistent Threat — A group, such as a government or a criminal organization, with the expertise, resources and intent to target a specific entity. An APT uses multiple methods to break into a network, avoid detection and harvest valuable information over a long period of time.


Air gap — To physically separate or isolate a secure network from other unsecured systems or networks.

Back door — A hidden entry to a computer, network or software that bypasses security measures.

Blackhat — A criminal hacker who breaches security for malicious reasons or personal gain.

Blue Team — A group defending a computer system from mock attackers, usually as part of a controlled exercise. During the Raytheon National Collegiate Cyber Defense Competition the blue teams are made up of students.

Bot — A program that automates a simple action. Bots infect computers and secretly perform activities under the control of a remote administrator.

Botnet — A collection of computers infected by bots.botnets

Bot master or herder —Someone who controls a botnet.

DoS Attack — A Denial-of-Service attack disrupts a website, server, or network resource – often by flooding it with more requests than it can handle.

DDoS Attack — A Distributed Denial of Service Attack is a DoS attack using a multitude of machines. Hackers often control one “master” machine to orchestrate the actions of “zombie” machines.

End-point Security — Security measures that protect a network from potential vulnerabilities posed by laptops and other mobile devices that access the network remotely.

Fuzzing — Automated input of invalid, unexpected or random data to a computer program. “Shocking” a computer in this way can reveal vulnerabilities.

Honeypot — A trap set to detect intruders. A honeypot usually simulates a real network but is actually isolated and monitored so it can give advance warning of an intrusion.

honeypot1  honeypot2

Insider threat – A threat posed by employees, contractors, business associates or other people who have inside access to a computer system. Raytheon is the No. 1 insider threat solution provider, protecting hundreds of thousands of endpoints.

Malware —Software designed to hijack, damage, destroy or steal information from a device or system. Variations include spyware, adware, rootkits, viruses, keyloggers, and more.

Patching —The process of updating software.

Pentest — Short for penetration testing, or trying to hack into a system to identify weaknesses.

Phishing — Tricking someone into giving away personal information by imitating legitimate companies, organizations, or people online. The “ph” derives from phreaking, or “phone freaking” — hijacking telephone lines. Spearphishing focuses on a particular target.


Pwned — Pronounced like owned with a “p” at the beginning, pwned means to defeat security measures. Derives from the word “own,” or dominate.

Red Team — A group of cybersecurity professionals authorized to simulate an attack. A “blue team” of students will face a red team at the Raytheon National Collegiate Cyber Defense Competition.

Social Engineering —Manipulating people into sharing private information.

White Team — A group responsible for refereeing an engagement between a red team of mock attackers and a blue team of cyber defenders.

Whitelist — The opposite of a blacklist, a whitelist is a list of people, groups or software OK’d for system access.

Zombie — An infected device that is used to perform malicious tasks under remote control. Botnets of zombie computers are often used to spread e-mail spam and launch denial-of-service (DoS) attacks.
Thanks for reading and remember … “You Own Your Own Security!”

DRP: What Have I Got to Lose


It happens when you least expect it, when the timing is bad, when it’s the last thing you’re prepared to deal with. That’s why it’s a disaster. But the real disaster is that so few companies are ready with a plan to get them through one.

Most Don’t Have One

As per research done by Symantec in a study from 2011, 57% of small to medium businesses didn’t have a Disaster Recovery Plan (DRP). Those numbers don’t appear to be improving. From an article in February 2015, roughly 60% of businesses in Canada did not have a plan in place to address security incidents like hack attacks, breaches or system failures. This information comes from 2 online surveys done by analyst firm IDC Canada for Cisco, comprising 2000 Canadians and 498 Canadian businesses.

Questions addressed security preparedness, and topics like security policies, recent cyber attacks, and familiarity with mobile and cloud-based applications. The result? Per Cisco “many Canadian businesses operate without any security strategy for their networks and are ‘woefully unprepared’”.


It’s like jumping without a net. Per CRA, a managed IT solutions firm in NYC, the average cost per day of IT downtime can amount to as much as $12,500. Many smaller businesses fail to recover from the financial losses they sustain, and go out of business within a year. As stated by Tom Richer, CRA Chief Sales & Marketing Officer:

SMBs that do not have a disaster recovery plan are taking an unnecessary risk. Not recovering quickly from a disaster or outage could mean the loss of many clients and revenue

So Why Not?

If we know the risks are growing and the costs of downtime are perilously high, why do so few companies have a plan in place? Below are the results from a recent survey done by Continuity Central. The numbers speak for themselves:

  • Lack of budget, funds and resources: 35.6 percent
  • Lack of top management commitment, buy-in and support: 16.4 percent
  • Lack of business unit support: 6.6 percent
  • The low priority given to BCM compared to other deliverables. 5.3 percent
  • Organizational apathy towards BCM: 4.9 percent
  • Staffing difficulties (loss of business continuity staff and difficulties in recruiting staff with appropriate qualifications): 4.8 percent
  • Lack of time available for business continuity staff to manage all their tasks: 3.5 percent

Simply put, lack of preparedness equals a perceived lack of funds and an ongoing lack of buy-in. We are looking at the formula for disaster.

drive crash

What Are You Waiting For?

Last year gave us

  • Mass data breaches: illustrating how Point of Sale malware is increasingly pervasive, continuing to feed our valuable information into the coffers of cybercriminals across the globe
  • The Sony Hack: how disgruntled employees can become destructive forces we don’t anticipate
  • Ransomware: cybercrime knows how to hold us hostage, and we pay regardless
  • Natural disasters: global warming or not, tornadoes, hurricanes, massive blizzards shut down cities and businesses every year

Putting a Disaster Recovery Plan in place is a lot easier than cleaning up the aftermath of a disaster. There are many approaches and templates to work from (I would love to help you with that – just ask!) but the best approach is to take the proverbial bull by the horns and get to work on your plan. Because the old adage holds true: failure to plan is a plan to fail. Don’t let it be yours.

(currently featured on the JIG Technologies corporate site)

Malware Primer: Browser Hijackers & Adware & Spyware. Oh My!

Welcome back for another installment in our series on Malware 101. This time, we’ll get delve into the devious realm of browser hijackers and adware.


Not all surprises are nice. Like when you type in one destination online, and find yourself on another site you really don’t want. And try as you might, you just keep landing back at that site. Sorry but you’ve just been hijacked by your browser. More accurately, by the hacker who has used malware to take control of your browser, and your surfing.

Browser hijacks are performed by malicious software that redirects your browser – Exploer, Google, Firefox, Safari – to a specific site.  This site can then be used to download malware onto your computer, without you realizing it. It’s known as a “drive-by download”, quick and dirty.

It gets worse. You know those bundled offers you get, or combos, whether you want them or not? Well, you’ve not only been hijacked, but you have likely been loaded up with a bunch of malware to take back. Your screen will soon fill with annoying pop-ups; your computer will seem sluggish; strange things will happen to your files. A lot of this is adware, often bundled with browser hijackers. And all courtesy of something you clicked on.


While the adware is annoying, the spyware it carries is more malicious. This stuff hides on your computer, where it tracks and monitors everything you do. Yes that email, tweet, ridiculous comment, all have been recorded and sent elsewhere. Worse, your personal details, banking information and sign on credentials have also been captured for sale and use by somebody you really don’t want to know.

Think of this stuff as tech VD, because cleaning up a nasty infestation reveals it to be a gift that keeps on giving. It’s hard to detect initially. Once you do catch on, the malware has proliferated and spread through your computer. You’ll likely need professional assistance to do a really good clean up job. Unless you have the patience and expertise to follow all the steps and use several different programs to unearth and remove all the malicious files.  It is doable, but you need to be diligent because you need to find and remove all of it. Otherwise, you’ll get reinfected.

Remember – You Own Your Own Security.  Take charge!

Superfish and Lenovo: One Big Fish Fry

“Superfish” by @EddieTheYeti

There’s a nasty little game afoot where new laptops come with undesirable extras. I’m talking about “crapware” – all those annoying little programs and invitations to sign up and buy that suddenly fill your screen moments after you first boot up.  That’s not the way anyone deserves to experience those heady first moments with a major new purchase. And yet, it’s exactly what happens with nearly all new laptops and pcs.

If you ask, you’re told that it’s been in practice by big companies for a while; that it’s the way business is done; that it’s nothing to worry about.  That doesn’t make it right.  And as of today, that doesn’t make it safe.

lenovolaptopIt has been discovered that the plethora of advertising extras pre-installed on Lenovo laptops contains a hidden danger.  A piece of adware, known as “Superfish Visual Discovery”, actually conducts a type of attack known as “MiTM” or Man-in-the-Middle, where it messes with that lovely new laptop’s configuration, and actually compromises a key security component. And no, that is not supposed to happen.  Which is why I think it’s time to speak up and speak out about this practice.

Plenty of top-drawer securitytech experts are currently dissecting and revealing the ugly truth about “Superfish”.  Simply put by Marc Rogers on Marc’s Security Ramblings,:

 badcert Lenovo is installing adware that uses a “man-in-the-middle” attack to break secure connections on affected laptops in order to access sensitive data and inject advertising. As if that wasn’t bad enough they installed a weak certificate into the system in a way that means affected users cannot trust any secure connections they make – TO ANY SITE.

Rik Ferguson offers this explanation on CounterMeasures:

 Superfish also installs its own self-signed Root Certificate Authority… Superfish can generate any certificate it wants, which will be trusted by your browser as entirely legitimate, allowing it to impersonate any destination on the internet. These sites are normally protected by strong encryption for your security

twittererRob Graham on Errata Security described how he was able to “intercept the encrypted communications of SuperFish’s victims (people with Lenovo laptops)”. On Twitter, he challenged the supposition by Peter Hortensius, CTO of Lenovo, that the problem was “theoretical” by saying how he had tested and proved otherwise.  And Steve Ragan on Salted Hash Security News hits the nail on the head when he states:

Even if the user removes the Superfish software, the certificate remains trusted and installed on the system. As for the opt-in requirement, most users agree to everything when configuring a new system, assuming they even notice the Superfish TOS to begin with.

What really bothers me is that most users don’t have the technical skillsets to understand what is actually happening, let alone to diagnose and disinfect.  From my years of experience working with end users, cleaning up this kind of mess definitely  falls outside reasonable expectations of what we should ask most people to do. Helping folks overcome their fear of technology is always challenging.  Most people would just like the problem to go away. Or for someone else to fix it.  There is a point to which you can lead users, but then they balk.certs

My team and I are all about simplifying technology for users. And honestly, if you can teach someone the easy ways to do things right, like security, then it’s like teaching that proverbial man to fish: they’ll be fine for the rest of their lives. But there is nothing simple about cleaning up malware, spyware, adware and the technical mess they inflict on devices.  Nobody who really cares about their customers should be asking them to start prodding around in program or registry files even if the customer is technically qualified.  Because confusion happens and mistakes can be made.

It’s really great to hear the outcry against what’s been going, and to put the issue squarely in front of major manufacturers. Time for certain parties to take a good look in the mirror: How can you proclaim your commitment to improving security when you’re actually contributing to a key source of problems? I love this statement by Marc Rogers on Marc’s Security Ramblings :

We trust our hardware manufacturers to build products that are secure. In this current climate of rising cybercrime, if you can’t trust your hardware manufacturer you are in a very difficult position

That said, what can you do about it? First and foremost, you need to get that junk off your device.  I’m happy to report that some terrific folks have been addressing that and there are some good suggestions on how to detect and remove.  For those inclined to do take the task on, read the steps through carefully a couple of times to make sure it’s clear before you undertake anything.  I can recommend this piece by PC World.  As well, I found this piece by ZDNet a little more detailed and perhaps easier to follow.

Crapware serves no purpose other than garnering profit.  Lenovo has a PR nightmare ahead, and they have a lot to answer for. While they claim to have halted shipping it back in January, that does nothing about what’s already out there.  Hopefully this serves notice to other distributors about cleaning up their acts so they don’t get caught up in the same net with “Superfish”.   Because the only real victims in this fish fry are the end-users.

NOTE: The awesome pic up at the top is by talented InfoSec member and artist @EddieTheYeti

Security Patches: One Step Forward, Two Steps Back


Security breaches, mass DDoS attacks, ransomware mutations. No question about it – the challenges to information security are constant and ever-changing. Over the past twelve months, InfoSec has had to deal with threats not only of a greater magnitude in complexity but also in sheer volume. So in our concerted, and at times hasty, efforts to keep up with all that’s out there, are we leaving ourselves exposed? Do we need to double-back and cover our tracks?

Fact is, there is a lot to keep up with, even for security super-heroes. Given the nature of the beast, we’re always looking forward, trying to keep up or gain a little ground to ready ourselves for the next challenge. But what about those “backdoors” we just closed?

malware3Cleaning up after mass events like ShellShock/Bashbug and Heartbleed isn’t straightforward. Sadly, one patch does not fit all when there are multiple iterations of operating systems and devices. And the truth is – there just aren’t enough good people or hours in a day to comb through all the stuff out there to find and fix what’s at risk, much as we want to. Much as we need to. What happens next is inevitable. The adversary takes advantage, finds the hole, and builds exploits that we then must find and shut down in a series of blocks and tackles.

Here’s a recent case in point: Shellshock and QNAP. Shellshock doesn’t just impact servers. It impacts devices connecting to these servers through the internet: wireless access points, routers, smart fridges, video cams, webcams, even light bulbs. You can patch a server. It’s not so easy to patch a fridge. The real challenge has been to identify and patch all those different exposed devices. QNAP makes network attached storage devices that are popular world-wide. And therefore ideal targets for Shellshock exploits.

While QNAP did issue a firmware patch in October, Shellshock worm exploits were detailed later in December. The worm targeted a particular CGI script, /cgi-bin/authLogin.cgi, which could then be accessed without authentication. That would allow attackers to launch a shell script that could in future download more malware. Essentially, keeping the backdoor open.cgi backdoor

One of the interesting things noted about this worm, per Kaspersky’s detailed write up, was that the script it made then downloaded and installed QNAP’s Shellshock patch. Yes! But in a move that was strictly territorial to keep other opportunistic attackers out.

Kaspersky advised that

“IT staff responsible for these devices security should apply patches themselves, or a worm will do it. At a price”

I’ve followed up with QNAP, and nothing else has been issued. The onus is on the users to identify and patch their products. Need I say more?

It’s easy to lose track when the tyranny of the urgent sets our agendas for us. And it’s hard to be proactive when you’re busy fighting fires. But the fact is we need to keep watching those backdoors – because they don’t always shut completely.

This post was featured on DarkMatters, the security blog by Norse Corp

The lead illustration is an actual screencapture of Shellshock malware by, a whitehat security research workgroup

Why Encryption Matters: Political Insecurity vs InfoSec

cam and bam

You own your own security. Bottom-line, when it comes down to planning how to protect yourself and what is yours, that decision should belong to you. But that’s not what President Obama, UK Prime Minister David Cameron or French Prime Minister Hollande would have you believe after their exchange of inflammatory rhetoric last week. If these three global leaders have their way, rather than securing our freedoms in the face of terrorism, they’ll be restricting the safeguards we need in place, and opening the cyber backdoor to those threats they fear most.

It appears fear fuelled knee-jerk reactions following the horrific terror attacks in France. French PM Hollande called for tighter surveillance measures to potentially weaken and cripple encryption in France. That encouraged UK Prime Minister David Cameron to say he’d like to ban certain forms of encryption, impacting popular messaging apps like iMessage and WhatsApp. You can read this post by Cory Doctorow to get a shopping list of what they want to limit US President Obama’s new Internet security proviso followed hard on the heels of Cameron’s call to outlaw encryption. Instead, they want to build “backdoors” into applications, that would allow government officials to have the ability to read all media and messages, and effectively give the state far more access and control over everyone else. But as Cory so aptly points out “there’s no back door that only lets good guys go through it.”

Official White House photo by Pete Souza

Official White House photo by Pete Souza

When Obama delivers his State of The Union address on January 20th, he’s going to make his case against encryption, and against the people in InfoSec who watch our backdoors constantly, identifying and tracking down threats from around the world.  There is a lot of money being made by people who can breach security, acquire our personal data, and sell it to the highest bidder.  The stakes are much higher when it comes to securing our critical infrastructure: power, water, communications, defense.  We have clear proof that those systems have already been targeted and penetrated.  Those systems are vital to our way of life, and deserve the best protection we can offer.

Rob Graham has written an excellent response to this in his blog, Errata Security, and he levels this warning: “The most important innovators this law would affect are the cybersecurity professionals that protect the Internet. If you cared about things such as “national security” and “cyberterrorism”, then this should be your biggest fear…This creates an open-door for nation-state hackers and the real cybercriminals.”


Call me crazy, but I think we should listen to those who know a lot more then the rest of us think we do. Misguided Security warns “once this Pandora’s Box is opened, it’s going to be damn hard to shut and the talented people who do great research and help protect the public from people and organizations that are truly scary”. Encryption keeps data safe, keeps identities safe, whereas backdoors and uninvited surveillance create risk.


These guys aren’t the hackers – they’re the ones that protect us from them.  Yet the term is dangerously misunderstood. Rob Graham explains “Because of our knowledge, we do innocent things that look to outsiders like “hacking”. Protecting computers often means attacking them.” There’s a diligent army of highly skilled folks working on our behalf out there, scrutinizing infinite lines of code to catch what we don’t want to have. They share what they learn in real time, a collaborative, co-operative and highly effective network. Given the opportunity, we really should be listening to them.

Thanks to the folks in InfoSec and the tools they use daily, I’ve watched botnets being launched by attackers from China.  To see what is coming at us in real time just click on this link to a map by Norse



We need the freedom to innovate and explore technology so that it will serve us better. As Rob Graham points out, “Internet innovation happens by trying things first then asking for permission later. Obama’s law will change that. ”  How can we defend ourselves if we handcuff those who do? There’s currently a movement afoot within the InfoSec community to spread the word and explain the real value of encryption so that everybody understands they have a stake in this. (I admit, I may be owning one of these shirts myself).

Currently, this seems to be couched as a “tech” issue, with the political pundits throwing words around like “cyber”, “encryption” and “hacker”, terms that can easily be used in a campaign of fear-mongering by government policy makers to assume control. The assumption is that the average person will probably stop listening because they consider this out of their realm, so it doesn’t apply to them. But that couldn’t be further from the truth. This argument is not just about technology anymore. It challenges current standards of freedom and privacy, and within that, how we get to protect ourselves. And everything we hold dear. Isn’t that our decision to make?